It was discovered that the Internationalization component of OpenJDKdid not restrict search paths when loading resource bundle classes. Alocal attacker could use this to trick a user into running maliciouscode.